pixel - Fotolia

Security issues lead IT to block Outlook for iOS

IT could face a security nightmare with the new Outlook for iOS app due to some major issues and lack of MDM integration.

Security shortcomings for the new Outlook for iOS app have companies putting the brakes on the app before they've even fired up the engine.

The most glaring omission in the new Outlook applications for Apple iOS and Google Android is the lack of integration with mobile device management (MDM) platforms, which makes them a non-starter for many enterprises.

Yet issues with security, particularly with the Outlook for iOS app, appear to run even deeper. A blog post written by Rene Winkelmeyer, head of development with German consulting services and software development company Midpoints, outlined several major security concerns for the app.

The app connects to file-sharing services such as Dropbox, Google Drive and Microsoft OneDrive so any user can set up a personal account within the app and share mail attachments using those services, Winkelmeyer wrote in the blog post. The catch is that administrators can't control in-app communication.

Containerization may help with controlling that communication, but only if a software development kit is implemented around an app like Outlook for iOS, Winkelmeyer said in an email.

"An option could be to force all device communication over [a virtual private network] via MDM and block from there, i.e. Dropbox access," he said. "But that'll mean big changes in the VPN infrastructure for lots of companies as all device traffic would be affected."

Outlook for iOS also shares the same Exchange ActiveSync client ID across all of the user's devices, meaning IT can't distinguish whether someone is using their iPhone or iPad to access the app, Winkelmeyer wrote in the blog.

Lastly, and perhaps most problematically for IT, anyone who uses the app faces the reality that Microsoft could store that individual's email credentials in the cloud. After sending a test email, Winkelmeyer discovered "a frequent scanning from an [Amazon Web Services] IP" to his email account and found Microsoft was storing his personal credentials and server data in the cloud.

"That may be fine for companies which already use Microsoft's cloud," he said in an email. "But for companies that have their ActiveSync server for their own reasons not in the cloud, it's a big problem."

Opting out of Outlook for iOS

In response to Winkelmeyer's post, Microsoft said Outlook for iOS's privacy and security capabilities, along with controls available to IT administrators, meet the company's established thresholds and Microsoft continuously works to meet security standards.

Customers can consult the Controlling Device Access TechNet guidance to block the app and use the OWA for iPhone, iPad or Android apps if they have security concerns, a Microsoft spokesperson said.

A West Coast private equity firm that invests in software and other technology-related businesses has concerns over Outlook for iOS and isn't taking any chances.

"We have advised all of our portfolio companies to block this app from connecting to their Exchange/Office 365 instances for now," said the firm's IT program director, who requested anonymity. 

The firm recommends this because Microsoft can store sensitive data in the cloud and IT has no control over Microsoft doing that. Plus, the Outlook for iOS app is a version 1.0 product.

"We don't want to be guinea pigs," he said said. "We won't be looking to jump into the first version and at least wait until the first few service packs to come out."

Apps could be compliance non-starter

The Outlook for Android app is only in preview mode while the iOS app is generally available. The apps are rebranded versions of Acompli, which was acquired by Microsoft in December.

Some expect Microsoft to improve the code quality from Acompli to meet its own standards in the near future, said Wes Miller, vice president of research at Directions on Microsoft, an IT analysis firm in Kirkland, Wash.

"It could be Microsoft saying, 'We have to figure out these issues and we'll fix it over time,' and they could be downplaying them right now," Miller said.

In an IT environment conscious of preventing security breaches and access to encryption keys, the Outlook apps may be a non-starter for companies who must be in compliance with regulations limiting who has access to that kind of important information.

"It may impossible for a company to be in compliance if that information is being stored elsewhere," Miller said.

Microsoft plans to add MDM integration for the apps in the future, the company said in a blog post. MDM will help rectify these security issues to a certain point, Winkelmeyer said. MDM can let you blacklist an app or block some actions, but unless admins block access to the App Store, preventing downloads of the app on an iOS device is impossible.

Microsoft is planning to build a level of MDM directly within the Office 365 suite, which the company said would be ready this quarter. It may have been advantageous for Microsoft to have that feature released in time for the new mobile Outlook apps, Miller said.

Dig Deeper on EMM tools | Enterprise mobility management technology